Carbanak malware offered criminals the chance to steal up to $10 million per heist.
CANCUN, MEXICO: Kaspersky researchers have discovered the theft of $1 billion from banks over the past two years.
Researchers from the security firm, working together with the International Criminal Police Organization (Interpol), Europol and law enforcement agencies including the NHTCU have uncovered a two-year criminal operation which relieved banks of $1 billion worldwide.
Since 2013, the cybergang have attempted to attack banks, e-payment systems and financial institutions using the Carbanak malware. The criminal operation has struck banks in approximately 30 countries.
What makes this crime unusual is the fact individual end users were not targeted; rather, banks themselves were the victims.
Sergey Golovanov, Principal Security Researcher at Kaspersky Lab's Global Research and Analysis Team told attendees at the Kaspersky Lab Security Analyst Summit that tracking the operation began when he was shown a video of a criminal taking money from an ATM without touching the machine.
A bank then requested help from the security company to tackle the problem -- as every ATM in a specific area had been taken from. Originally, Golovanov and colleagues searched for malware in the ATM network itself but came up short -- finding instead "terrible" misconfiguration in network configuration. This led to the discovery of Carberp and Anunak malware code -- open-source malicious code used in Carbanak.
The presence of this malicious code provided the trail which the team followed to find Carbanak malware in a Moscow-based bank's internal networks. The security researchers found that infection -- which began through three spear phishing emails -- in the bank's networks had remained undetected for two months. In total, 22 Chinese exploits were found.
This one case provided the chance to connect up the dots to other ATM thefts, fraudulent bank transfers and missing deposits in banks across the world. The discovery of Carbanak "united all of the theft cases around the world through one advanced persistent threat (APT)," according to Golovanov.
Once infected with Carbanak, the malware spread across internal corporate networks and tracked down administrator computers before using covert video surveillance programs to capture and record the screens of staff dealing with cash transfer systems.
With this data, the criminal gang were able to mimic staff members and transfer cash fraudulently. Online banking and international payment systems were used to deposit stolen funds in Chinese and US accounts. It is possible that transfers were also made to bank accounts in other countries.
However, criminal activity did not end here. In other cases, the cyberattackers "penetrated right into the very heart of the accounting systems," Kaspersky says. The criminals were able to inflate account balances before fraudulently transferring the money -- a covert way of stealing funds without alarming a bank account owner, as only the inflated balance would be transferred away, leaving the original funds in place.
Another way the cybercriminals were able to steal bank funds was through compromised ATMs. Through Carbanak, bank ATMs were "ordered" to dispense cash at pre-determined times, where a criminal associate would be waiting to collect the payment -- the case in question which brought Carbanak to the notice of the security firm.
It is estimated that by hacking into banks, the cybercriminals were able to make off with approximately $1 billion over 24 months. The largest amounts were stolen by breaking into banks directly and stealing up to $10 million in each raid, according to the security experts. On average, each robbery took between two and four months to complete from infection to theft.
The researchers say it is likely the criminal actors originate from Russia, Ukraine, Europe and China. Countries including the US, UK, Australia, Canada and Hong Kong have been targeted -- and the operation remains active.
"These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent. The attackers didn't even need to hack into the banks' services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.